Are auditors Patriot Act-ready?

Shortly after Sept. 11, 2001, America's financial institution auditors - internal and external - were called to the trenches of the war against terrorism.Under Section 352 of the USA Patriot Act, they have been required to verify that their institutions have adequate risk assessment and prevention systems in place.

According to Edwin Rivas, CFSA, CRCM and director of Hypo Real Estate International, who recently delivered a lecture on the issue at an Institute of Internal Auditors' conference, auditors need continuous training to keep current with industry best practices. Regulators assess due diligence according to those practices, and financial institutions don't want to be the weakest link in the fight against terrorism.

Rivas said that sometimes auditors fail to fully comply with the act - and sometimes even to recognize that their companies are considered financial institutions.

Those who fail to keep up with the requirements of the act could leave their institutions subject to penalties. "The Patriot Act has changed the type of due diligence that is required to be conducted by financial institutions," Rivas said, "and it has expanded the scope of the definition of financial institutions."

DILIGENCE REQUIRED

Under the act, the definition of a financial institution covers not only banks and insurance companies, but securities brokers, investment advisors and money transmission services. The act requires financial institutions to have internal due diligence policies and procedures, an anti-money-laundering officer, training for employees, and an independent audit function to test programs.

Institutions' due diligence process must include risk-based assessments of clients, foreign banks, and certain types of transactions and activities. Some of the requirements, Rivas said, are very specific, but others are more subjective. Among the people subject to enhanced due diligence are foreign "politically exposed persons" such as current and former senior government officials and military leaders, their families, and their associates. "If a potential new client works for a government and has a high net worth, we have to investigate the source of his wealth," Rivas said.

The law requires banks to notify clients that U.S. financial institutions must verify certain other information. The institutions must continuously monitor clients and check their names against various national and international lists of known suspected terrorists. Among the organizations maintaining those lists are Interpol, the U.S. Treasury Department's Office of Foreign Asset Control, and various foreign governments.

"It's important for an auditor to know this," Rivas said. "It isn't a matter only of the function being executed, but the timing of it. You don't want to open an account for a customer and then a week later find out that this person is on a government list. It's important for the auditor to take into consideration what kinds of preventive controls the institution has to mitigate that risk."

Francisco Iglesias, senior vice president and chief auditor of Republic Federal Bank, said that the Patriot Act puts a huge responsibility on banks. "We, as bankers, have to act as police, jury and enforcers," he explained. "Based on our perceptions of risk, we may close or decline to open an account."

If an institution notices suspicious activity, it must report the suspicion to regulators, who subsequently investigate the indicated individual. Reports of suspicious activities, Iglesias said, are fairly common.

He added that some institutions have rigorous policies, while others have lax policies or simply fail to comply with the law. Since the more serious institutions will tend to avoid relationships with risky individuals, those people will tend to take their business to institutions that accept risky clients, giving those institutions a competitive advantage. He suggested that banks compensate employees not only for bringing in new business, but for complying with internal policies.

The Patriot Act also requires auditors to verify that financial institutions are monitoring corresponding bank accounts - that is, accounts that U.S. banks maintain with foreign banks. Such arrangements are often made to facilitate currency exchanges or overseas payments.

Auditors are also required to confirm that their institutions are performing risk-based due diligence for activities involving "high-risk" countries known for corruption, drug trafficking, money laundering or terrorist activity. The act does not list these countries. Rather, it expects financial institutions - and, by extension, their auditors - to assess countries based on the effectiveness of their anti-terrorism and anti-money-laundering regulations.

"The auditor has to understand that due diligence for an office in one country is different from due diligence for an office in another," Rivas said.